eBay Hacked, Requests All Users Change Passwords

As posted on May 21, 2014 on Cnet.com

By Don Reisinger

eBay confirms users' passwords were compromised but says there's no evidence any financial information was accessed.

eBay's morning just went from bad to worse. The e-commerce site confirmed Wednesday that its corporate network was hacked and a database with users' passwords was compromised. While eBay says there is no evidence that users' financial information was accessed in the hack, the company is telling all users to change their passwords.

eBay contacted CNET after this story was initially published, saying it discovered "recently" that it was a victim of "a cyber attack on our corporate information network, which compromised a database containing eBay user passwords." The company's spokesperson told CNET there is "no evidence that any financial information was accessed or compromised."

The statement follows an odd stream of events this morning when eBay-owned PayPal posted a blog entitled "eBay, Inc. to Ask All eBay users to Change Passwords." The blog post included nothing but the title, but quickly hit the Web after it was retweeted dozens of times. The blog post was then taken down from PayPal's site, causing even more confusion for users of the online auction house.

eBay has since posted information about the hack on its official blog. The company will ask all users to change their passwords starting later on Wednesday.

eBay shares are down 1.73 percent, or 90 cents, to $51.06, following news of the hack.

The database, which eBay said was compromised in late February and early March, held eBay customer's names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth. However, the company says users' financial information was not accessed.

"After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats," eBay wrote in the post. "However, changing passwords is a best practice and will help enhance security for eBay users."

eBay also tried to allay concerns of PayPal users who store credit card information on the service. Although eBay owns PayPal, the online auction site says that "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."

eBay said it detected the hack two weeks ago and engaged in forensics activities to determine what database was compromised and what was stolen. The company narrowed down the attack to "a small number of employee login credentials" stolen by cyberattackers, which it said provided access to eBay's corporate network.

Starting later on Wednesday, eBay will use email, site updates, and "other marketing channels" to request its users change their passwords. The company also encouraged its users to change the passwords on any other sites they might use with the same log-in credentials. It even ended its blog post with a security tip: "The same password should never be used across multiple sites or accounts."

eBay's hacking should be taken seriously. The e-commerce site has 128 million active users around the world. While the company has acknowledged that it will ask ever user to change their password, eBay hasn't said how many customers might have had information stolen.

With Heartbleed wreaking havoc on the Web and an increasing number of major companies having their servers hacked and personal information leaked, Web security -- or lack thereof -- is becoming a huge concern for Web users. The eBay hack could prove to be the biggest security flaw to affect users since last year's Target data breach. That hack is believed to have impacted 110 million customers and left personal information -- including names, mailing addresses, phone numbers, email addresses, and debit and credit card data -- open to hackers.

CNET has contacted eBay for more information on the hack. We will update this story when we have more information.

Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications. See full bio